Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update frogbot-scan-and-fix.yml #3

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Update frogbot-scan-and-fix.yml #3

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
c491d48
Update frogbot-scan-and-fix.yml
sunilsinghc11 Aug 3, 2024
32299a3
Update pythonProj.py
sunilsinghc11 Aug 14, 2024
d3dbd60
Update pythonProj.py
sunilsinghc11 Aug 20, 2024
8323dca
Create test.py
sunilsinghc11 Aug 20, 2024
a8ad27f
Create psdemo.py
sunilsinghc11 Aug 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/frogbot-scan-and-fix.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ jobs:
- uses: actions/checkout@v4

# IMPORTANT:
# 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix
# 1. Please See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix
# 2. Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md

- uses: jfrog/frogbot@v2
Expand Down
4 changes: 2 additions & 2 deletions pythonExample/pythonProj.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

# Function definition is here
def printme( str ):
# This prints a passed string into this function
# This prints out a passed string into this function
print (str)
return;

Expand All @@ -16,5 +16,5 @@ def arc4_encrypt_password(key, password):
return hashlib.md5(encrypted_password).hexdigest()

# Now you can call printme function
printme("Hello from JFROG");
printme("Hello from JFROG FROGBOT");
printme("this is a log line that is monitored by the team and will cause alerts")
20 changes: 20 additions & 0 deletions pythonExample/test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
#!/usr/bin/python

# Function definition is here
def printme( str ):
# This prints out a passed string into this function
print (str)
return;

from project import db, app
from Cryptodome.Cipher import ARC4
import hashlib

def arc4_encrypt_password(key, password):
cipher = ARC4.new(key.encode('utf-8'))
encrypted_password = cipher.encrypt(password.encode('utf-8'))

Check failure

Code scanning / CodeQL

Use of a broken or weak cryptographic algorithm High test

The cryptographic algorithm ARC4
Loading
is broken or weak, and should not be used.
return hashlib.md5(encrypted_password).hexdigest()

Check warning

Code scanning / JFrog Frogbot

Unsafe Hash Algorithm Medium test

Unsafe Hash Algorithm
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding

Medium		 Unsafe Hash Algorithm
Full description

Overview

An unsafe hash algorithm vulnerability occurs when using a known insecure hash algorithm.
A hash algorithm accepts arbitrary input and generates a hash value - a fixed-length output
that can be used to verify the integrity of data, such as passwords or files.
An insecure hash algorithm in an algorithm that an attacker can use to generate
the same hash value for different input data within a reasonable amount of time
("hash collision attack").

Query operation

In this query we look for any usage of weak hash algorithms

Vulnerable example

from flask import Flask, request
import hashlib

app = Flask(__name__)

@app.route('/login', methods=['POST'])
def login():
    username = request.form.get('username')
    password = request.form.get('password')

    # Vulnerable hashing mechanism (MD5)
    hashed_password = hashlib.md5(password.encode()).hexdigest()

    if check_password(username, hashed_password):
        return 'Login successful'
    else:
        return 'Login failed'

if __name__ == '__main__':
    app.run()

In this example, the application uses the MD5 hashing algorithm
to hash the user's password before storage. MD5 is considered a weak hashing algorithm,
vulnerable to various attacks, including collision attacks and precomputed lookup tables
(hash inversion).

Remediation

Replace any usage of the md5 and sha1 hash algorithms with stronger hash algorithms such
as sha256 -

@app.route('/login', methods=['POST'])
def login():
    username = request.form.get('username')
    password = request.form.get('password')

-    hashed_password = hashlib.md5(password.encode()).hexdigest()
+    hashed_password = hashlib.sha256(password.encode()).hexdigest()

if check_password(username, hashed_password):
    return 'Login successful'
else:
    return 'Login failed'


# Now you can call printme function
printme("Hello from JFROG FROGBOT");
printme("this is a log line that is monitored by the team and will cause alerts")
Loading